CN110768792A - Master key generation method and device and encryption and decryption method of sensitive security parameters - Google Patents

Abstract

The embodiment of the invention provides a master key generation method, a master key generation device and an encryption and decryption method of sensitive security parameters, which comprise the following steps: combining personal characteristic data of the mobile intelligent terminal with a server side master key component, and generating a master key based on a combined result; the personal characteristic data of the mobile intelligent terminal is data related to personal characteristics of a user, and the server side master key component is a random number generated by a server side password component. The master key generation method disclosed by the embodiment of the invention adopts the personal characteristic data of the mobile intelligent terminal and the master key component of the server side when generating the master key, and the generation of the master key does not depend on the data of the communication side, thereby effectively improving the safety of the master key.

Description

Master key generation method, device and encryption and decryption method of sensitive security parameters

technical field

The invention relates to the field of network security, in particular to a method and device for generating a master key and an encryption and decryption method for sensitive security parameters.

Background technique

In the environment of open mobile network and portable mobile terminal system, how to protect sensitive security parameters (such as the private key in the public-private key pair) has become the core issue in the design and implementation of the cryptographic software module of the mobile intelligent terminal. In a mobile intelligent terminal, encrypting and storing sensitive security data is the main method to solve the security of the software cryptographic module. The key used to encrypt sensitive security data is also called the master key. The master key is the seed for generating session keys, encryption keys and other types of keys, which is of great significance to the distribution and security protection of these keys. . If the master key is stolen, it will pose a serious threat to the security of sensitive security data.

In the existing public literature, the generation process of the master key is usually not described. The master key generation process described in a few public documents usually takes eigenvalues locally, and uses these eigenvalues to generate the master key. That is to say, the generation of the master key is usually done at one end of the mobile communication (mobile or server). Once this end is breached, the master key or the information used to generate the master key may be leaked to the network. security poses a serious threat.

SUMMARY OF THE INVENTION

Embodiments of the present invention provide a master key generation method, a device, and an encryption and decryption method for sensitive security parameters, which are used to solve the security problem of sensitive security data in the prior art and realize the protection of sensitive security data.

In a first aspect, an embodiment of the present invention provides a method for generating a master key, including:

Combining the personal characteristic data of the mobile intelligent terminal and the server-side master key component, and generating a master key based on the combined result; wherein,

The personal characteristic data of the mobile intelligent terminal is data related to the personal characteristic of the user, and the server-side master key component is a random number generated by the server-side password component.

Based on any of the above embodiments of the present invention, the generating the master key based on the combined result includes: using a key derivation algorithm to calculate the combined result to generate the master key.

The master key generation method disclosed in the embodiment of the present invention uses both the mobile intelligent terminal personal characteristic data of the mobile intelligent terminal and the server master key component of the server when generating the master key. Relying on the data at one end of the communication can effectively improve the security of the master key.

In a second aspect, an embodiment of the present invention provides a sensitive security data encryption method, including:

The mobile intelligent terminal personal characteristic data transmission step, the mobile intelligent terminal password component transmits the obtained mobile intelligent terminal personal characteristic data to the server password component;

The step of storing the server-side master key component and the mobile intelligent terminal personal characteristic data, the server-side cipher component saves the generated server-side master key component and the received personal characteristic data of the mobile intelligent terminal in a key container ;

a server-side master key component transmission step, wherein the mobile intelligent terminal cryptographic component receives the server-side master key component from the server-side cryptographic component;

The master key generation step, based on the personal characteristic data of the mobile intelligent terminal and the server master key component, adopts the master key generation method to generate a master key;

In the encryption step, the master key is used to encrypt the sensitive security data, and the encrypted sensitive security data is stored in the key container.

Based on any of the above embodiments of the present invention, the step of transmitting personal characteristic data of the mobile intelligent terminal includes:

After the server cryptographic component obtains the random number R, it sends the random number R to the mobile intelligent terminal cryptographic component;

The mobile intelligent terminal cryptographic component generates its own public and private key pair (P _M , D _m ), and calculates the hash value HPPD of the personal characteristic data of the mobile intelligent terminal;

The cryptographic component of the smart mobile terminal uses the random number R, the hash value HPPD of the personal characteristic data, and the combined value ( _R ||HPPD|| _PM ) of the public key PM of the cryptographic component of the smart mobile terminal with a randomly generated key r _M is encrypted to obtain C ₁ , and C ₂ is obtained by encrypting the randomly generated key r _M by using the public key P _S of the cryptographic component of the server; wherein, || represents a combination;

The mobile intelligent terminal cryptographic component sends the data C ₂ ||C ₁ to the server-side cryptographic component.

Based on any of the above embodiments of the present invention, the step of storing the server master key component and the personal characteristic data of the mobile intelligent terminal includes:

The server-side cryptographic component receives data C ₂ ||C ₁ , then decrypts C ₂ with its own private key d _S to obtain a randomly generated key r _M , and then decrypts C ₁ with r _M to obtain (R||HPPD| |P _M );

The server cipher component generates a user ID, generates a server master key component SS-MKC, and then combines the hash value HPPD of the personal characteristic data, the server master key component SS-MKC, and the public key P of the mobile intelligent terminal cipher component. _M and PPD attempts are combined to generate (HPPD||SS-MKC||P _M ||PPD attempts) using the server-side password component storage key K _S for encryption, and the encrypted result is stored in the user ID as an index. In the key container; wherein, the number of PPD attempts is a value used to reflect the number of times the user attempts to enter personal characteristic information.

Based on any of the above embodiments of the present invention, the step of transmitting the server master key component includes:

The server-side cipher component combines the random number R, the server-side master key component SS-MKC, and the user ID to generate (R||MKC||user ID) and signs it with the server-side cipher component's own key d _S to obtain rs ₁ ;

The server-side cipher component encrypts (R||MKC||user ID||rs ₁ ) with another randomly generated key r _Ms to obtain C _1s , and uses the key r _Ms with the mobile smart terminal cipher component The public key PM encrypts to obtain _{C 2s} ;

The server-side cryptographic component sends C _2s || C _1s to the mobile intelligent terminal cryptographic component;

The mobile intelligent terminal cryptographic component uses its own private key d _M to decrypt C _2s to obtain r _Ms , and then uses r _Ms to decrypt C _1s to obtain (R||MKC||user ID||rs ₁ );

The mobile intelligent terminal cryptographic component signature verification rs1 _;

The mobile intelligent terminal password component stores the user ID as the identification of the mobile intelligent terminal password component.

The sensitive security data encryption method disclosed in the embodiment of the present invention generates a master key based on the personal characteristic data of the mobile intelligent terminal and the server master key component, encrypts the sensitive security data by using the master key, and encrypts the server master key The key components, the personal characteristic data of the mobile smart terminal, and the sensitive security data encrypted with the master key are all stored in the key container, which greatly increases the security of the sensitive security data.

In a third aspect, an embodiment of the present invention provides a sensitive security data decryption method for decrypting sensitive security data encrypted by the sensitive security data encryption method, including:

The step of transmitting the personal characteristic data of the mobile intelligent terminal to be verified, the mobile intelligent terminal password component transmits the obtained personal characteristic data of the mobile intelligent terminal to be verified to the server password component;

The step of successfully verifying the personal data of the mobile intelligent terminal, the server-side cipher component extracts the stored personal characteristic data of the mobile intelligent terminal and the server-side master key component from the key container, and the mobile intelligent terminal personal characteristic data to be verified is the same as the one. The stored personal data of the mobile intelligent terminal is checked and consistent;

The server master key component transmission step, the server master key component is transmitted to the mobile intelligent terminal encryption component;

The master key generation step, based on the personal characteristic data of the mobile intelligent terminal and the server master key component, adopts the master key generation method to generate a master key;

In the decryption step, the encrypted sensitive security data is obtained from the key container, and the encrypted sensitive security data is decrypted by using the master key to obtain unencrypted sensitive security data.

Based on any of the above embodiments of the present invention, the method further includes: a step of failing the personal data verification of the mobile intelligent terminal, wherein the server-side cipher component extracts the stored personal characteristic data of the mobile intelligent terminal and the server-side master key component from the key container, The personal characteristic data of the mobile intelligent terminal to be verified is inconsistent with the stored personal data of the mobile intelligent terminal, the server master key component is cleared, and the mobile intelligent terminal password component identifies the server If the value of the master key component is zero, it will prompt failure and end the operation.

Based on any of the above embodiments of the present invention, the step of transmitting the personal characteristic data of the mobile intelligent terminal to be verified includes:

The mobile intelligent terminal password component requests the mobile intelligent terminal personal characteristic data verification from the server-side password component;

The server-side cryptographic component sends a random number R to the mobile intelligent terminal cryptographic component;

The cryptographic component of the smart mobile terminal combines the random number R, the user ID, and the hash value HPPD' of the personal characteristic data of the smart mobile terminal to be verified, and randomly generates the key r according to the combined result (R||user ID||HPPD'). _M1 and r _M2 , use r _M1 to encrypt to obtain C ₁ , and encrypt C ₁ ||r _M1 ||r _M2 with the public key P _S of the server cipher component to obtain C ₂ ;

The mobile intelligent terminal cryptographic component sends the data (C ₂ ||C ₁ ) to the server-side cryptographic component.

Based on any of the above embodiments of the present invention, the successful step of verifying the personal data of the mobile intelligent terminal includes:

The server-side cryptographic component uses its own private key d _S to decrypt C ₂ to obtain r _M1 and r _M2 , and then uses r _M1 to decrypt C ₁ to obtain (R||user ID||HPPD');

The server cipher component obtains the corresponding data of the mobile intelligent terminal cipher component (HPPD||MKC||PM||PPD attempts) from the key container according to the user ID, and decrypts it with the server cipher component storage key K _S , The consistency of the hash value HPPD' of the personal characteristic data of the mobile intelligent terminal to be verified and the hash value HPPD of the personal characteristic data of the mobile intelligent terminal, and the number of PPD attempts are successfully verified.

The sensitive security data decryption method provided by the embodiment of the present invention generates a master key based on the personal characteristic data of the mobile intelligent terminal and the server master key component, and decrypts the encrypted sensitive security data by using the master key. Before the key, it is necessary to compare and verify the personal characteristic data of the mobile intelligent terminal to be verified with the personal characteristic data of the mobile intelligent terminal stored in the key container in advance, so the security of sensitive security data can be greatly improved.

In a fourth aspect, an embodiment of the present invention provides an apparatus for generating a master key, including:

The master key generation module is used to combine the personal characteristic data of the mobile intelligent terminal and the server master key component, and generate a master key based on the combined result; wherein,

The personal characteristic data of the mobile intelligent terminal is data related to the personal characteristic of the user, and the server-side master key component is a random number generated by the server-side password component.

Based on any of the above embodiments of the present invention, the generating the master key based on the combined result includes: using a key derivation algorithm to calculate the combined result to generate the master key.

In a fifth aspect, an embodiment of the present invention provides a sensitive security data encryption device, including:

The mobile intelligent terminal personal characteristic data transmission module is used for the mobile intelligent terminal password component to transmit the obtained mobile intelligent terminal personal characteristic data to the server password component;

The server-side master key component and the mobile intelligent terminal personal characteristic data storage module is used for the server-side cipher component to store the generated server-side master key component and the received personal characteristic data of the mobile intelligent terminal in the key. in a container;

a server-side master key component transmission module, used for the mobile intelligent terminal cryptographic component to receive the server-side master key component from the server-side cryptographic component;

a master key generation module for generating a master key by using the master key generation device based on the personal characteristic data of the mobile intelligent terminal and the server master key component;

The encryption module is used for encrypting the sensitive security data by using the master key, and storing the encrypted sensitive security data in the key container.

Based on any of the above embodiments of the present invention, the personal characteristic data transmission module of the mobile intelligent terminal includes:

a random number generation and transmission unit, configured to send the random number R to the mobile smart terminal cryptographic component after the server-side cryptographic component obtains the random number R;

a key pair and hash value generation unit, used for the mobile intelligent terminal cryptographic component to generate its own public and private key pair (P _M , D _m ), and to calculate the hash value HPPD of the personal characteristic data of the mobile intelligent terminal;

A merging and encrypting unit, used for the random number R, the hash value HPPD of the personal characteristic data, and the combined value ( _R ||HPPD|| _PM ) of the public key PM of the cryptographic component of the mobile intelligent terminal Use the randomly generated key r _M to encrypt to obtain C ₁ , and use the public key P _S of the server cipher component to encrypt the randomly generated key r _M to obtain C ₂ ; where || represents a combination;

A transmission unit, used for the mobile smart terminal cryptographic component to send the data C ₂ ||C ₁ to the server-side cryptographic component.

Based on any of the above embodiments of the present invention, the server master key component and the mobile intelligent terminal personal characteristic data storage module include:

A decryption unit, used for the server cipher component to receive data C ₂ ||C ₁ , and then use its own private key d _S to decrypt C ₂ to obtain a randomly generated key r _M , and then use r _M to decrypt C ₁ to obtain ( R||HPPD||P _M );

The storage unit is used for the server cipher component to generate the user ID, the server master key component SS-MKC, and then the hash value HPPD of the personal characteristic data, the server master key component SS-MKC, the mobile intelligent terminal password The public key P _M of the component and the number of PPD attempts are combined to generate (HPPD||SS-MKC|| _PM ||PPD attempts) using the server-side password component storage key K _S to encrypt, and the encrypted result is encrypted by the user The ID is an index stored in the key container; among them, the number of PPD attempts is a value used to reflect the number of times the user attempts to input personal characteristic information.

Based on any of the above embodiments of the present invention, the server master key component transmission module includes:

The merging and signing unit is used for the random number R, the server master key component SS-MKC, and the user ID to be generated by the server cipher component (R||MKC||user ID), which is encrypted by the server cipher component itself. The key d _S is signed, and rs ₁ is obtained;

an encryption unit, used for the server-side cipher component to encrypt (R||MKC||user ID||rs ₁ ) with another randomly generated key r _Ms to obtain C _1s , and use the key r _{Ms C 2s} is obtained by encrypting the public key PM of the cryptographic component of the mobile intelligent terminal;

a transmission unit, used for the server cipher component to send C _2s ||C _1s to the mobile intelligent terminal cipher component;

A decryption unit, used for the mobile intelligent terminal cryptographic component to decrypt C _2s using its own private key d _M to obtain r _Ms , and then use r _Ms to decrypt C _1s to obtain (R||MKC||user ID||rs ₁ );

a signature verification unit, used for signature verification rs ₁ of the cryptographic component of the mobile intelligent terminal;

A storage unit, used for the smart mobile terminal password component to store the user ID as the identification of the mobile smart terminal password component.

In a sixth aspect, an embodiment of the present invention provides a sensitive security data decryption device for decrypting sensitive security data encrypted by the sensitive security data encryption device, including:

The personal characteristic data transmission module of the mobile intelligent terminal to be verified is used for the mobile intelligent terminal password component to transmit the obtained personal characteristic data of the mobile intelligent terminal to be verified to the server password component;

The mobile intelligent terminal personal data verification success module is used for the server cipher component to extract the stored personal characteristic data of the mobile intelligent terminal and the server master key component from the key container, and the personal characteristics of the mobile intelligent terminal to be verified. The data is checked and consistent with the stored personal data of the mobile smart terminal;

a server-side master key component transmission module, used for transmitting the server-side master key component to the mobile intelligent terminal cryptographic component;

a master key generation module for generating a master key by using the master key generation device based on the personal characteristic data of the mobile intelligent terminal and the server master key component;

The decryption module is used to obtain the encrypted sensitive security data from the key container, and use the master key to decrypt the encrypted sensitive security data to obtain unencrypted sensitive security data.

Based on any of the above embodiments of the present invention, it further includes: a mobile intelligent terminal personal data verification failure module, used by the server-side cryptographic component to extract the stored personal characteristic data of the mobile intelligent terminal and the server-side master key from the key container component, the personal characteristic data of the mobile intelligent terminal to be verified is inconsistent with the stored personal data of the mobile intelligent terminal, the component of the server master key is cleared, and the mobile intelligent terminal password component identifies the When the value of the server's master key component is zero, it will prompt failure and end the operation.

Based on any of the above embodiments of the present invention, the personal characteristic data transmission module of the mobile intelligent terminal to be verified includes:

a request verification unit, used for the mobile intelligent terminal password component to request the mobile intelligent terminal personal characteristic data verification from the server password component;

a transmission unit, used for the server cipher component to send a random number R to the mobile intelligent terminal cipher component;

The merging and encryption unit is used for the mobile intelligent terminal password component to merge the random number R, the user ID, and the hash value HPPD' of the personal characteristic data of the mobile intelligent terminal to be verified, and according to the combination result (R||user ID|| HPPD′) randomly generate keys r _M1 and r _M2 respectively, use r _M1 to encrypt to obtain C ₁ , and encrypt C ₁ ||r _M1 ||r _M2 with the public key P _S of the server cryptographic component to obtain C ₂ ;

A transmission unit, used for the mobile smart terminal cryptographic component to send the data (C ₂ ||C ₁ ) to the server-side cryptographic component.

Based on any of the above embodiments of the present invention, the successful module for personal data verification of the mobile intelligent terminal includes:

a decryption unit, used for the server cryptographic component to decrypt C ₂ using its own private key d _S to obtain r _M1 and r _M2 , and then use r _M1 to decrypt C ₁ to obtain (R||user ID||HPPD');

The verification success unit is used for the server-side password component to obtain the corresponding data (HPPD||MKC||PM||PPD attempts) from the key container of the mobile intelligent terminal according to the user ID, and store it in the server-side password component The key K _S is decrypted to successfully verify the consistency of the hash value HPPD' of the personal characteristic data of the mobile intelligent terminal to be verified and the hash value HPPD of the personal characteristic data of the mobile intelligent terminal, and the number of PPD attempts.

In a seventh aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and running on the processor, the processor implementing the master secret when executing the program. The steps of the key generation method, or the steps of implementing the method for encrypting sensitive security data, or the steps for implementing the method for decrypting sensitive security data.

In an eighth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of the master key generation method described above, or implements the steps of the master key generation method as described above. The steps of the sensitive security data encryption method, or the steps of implementing the sensitive security data decryption method.

Description of drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

Fig. 1 is the structural representation of the mobile intelligent terminal password component and the server-side password component in the prior art;

2 is a flowchart of a method for generating a master key provided by an embodiment of the present invention;

3 is a flowchart of a sensitive security data encryption method provided by an embodiment of the present invention;

4 is a schematic diagram of an initialization process of a password component of a mobile smart terminal provided by an embodiment of the present invention;

5 is a flowchart of a method for decrypting sensitive security data provided by an embodiment of the present invention;

6 is a flowchart of personal feature data verification of a mobile intelligent terminal provided by an embodiment of the present invention;

7 is a structural diagram of an apparatus for generating a master key provided by an embodiment of the present invention;

8 is a structural diagram of a sensitive security data encryption device provided by an embodiment of the present invention;

9 is a structural diagram of an apparatus for decrypting sensitive security data provided by an embodiment of the present invention;

FIG. 10 illustrates a schematic diagram of the physical structure of an electronic device.

Detailed ways

In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

For ease of understanding, before the detailed description of the embodiments of the present invention, the mobile smart terminal cryptography components (MST-CC, Mobile Smart Terminal-Cryptography Components) and server-side cryptography components (SS-CC) related to password generation and management in the process of mobile communication CC, Server Side-Cryptography Components) to explain.

FIG. 1 is a schematic diagram of a mobile smart terminal cryptographic component and a server-side cryptographic component. As shown in Figure 1, the mobile intelligent terminal cryptographic component at least includes: a first cryptographic algorithm implementation unit, a personal profile data (PPD, PersonalProfile Data) management unit, a master key (MK, Master Key) generation unit, server-side cryptographic component communication unit and mobile intelligent terminal password component service interface; wherein, the first password algorithm implementation unit is used to realize the password algorithm; the personal characteristic data management unit is used to realize the mobile intelligent terminal personal characteristic data (MST-PPD, MobileSmart Terminal- The input and verification of Personal Profile Data); the master key generation unit is used to generate the master key; the server-side cipher component communication unit is responsible for establishing a secure communication connection with the server-side cipher component, wherein the server-side cipher component public key is preset; The terminal cryptographic component service interface is the interface between the mobile intelligent terminal cryptographic component and the mobile application, which at least includes a data interface, a control interface and a status output interface.

The server-side cryptographic component at least includes: a second cryptographic algorithm implementation unit, a personal identification number (PIN, PersonalIdentification Number) management unit, a key container, a mobile smart terminal cryptographic component management unit, and a mobile smart terminal cryptographic component communication unit; The cryptographic algorithm implementation unit is used to implement approved cryptographic algorithms, such as SM2, SM3, and SM4; the personal identification code management unit is used to verify the PIN code of the password supervisor and start the server-side cryptographic component; the key container is used to store and manage sensitive security parameters. Files and sensitive security parameters in the server-side password component are encrypted and stored in the key container, and the key container can only be used after the password supervisor PIN code verification is passed; the mobile intelligent terminal password component management unit is used to complete the personal characteristics of the mobile intelligent terminal Data verification and Server Side-Master Key Component (SS-MKC, Server Side-Master Key Component) generation; the mobile intelligent terminal cryptographic component communication unit is used to provide a communication connection interface with the mobile intelligent terminal cryptographic component.

In the process of mobile communication, information can be exchanged between the mobile smart terminal cryptographic components and the server-side cryptographic components; Software Development Kit) invokes the software interface of the mobile smart terminal cryptographic component; the mobile smart terminal cryptographic component runs in a process space independent of the operating system, and the mobile application exchanges information with the mobile smart terminal cryptographic component through the operating system inter-process communication mechanism.

The above is the description of the mobile intelligent terminal password component located in the mobile intelligent terminal and the server-side password component located in the server side in the process of mobile communication.

Based on the aforementioned mobile intelligent terminal cryptographic components and server cryptographic components, the embodiments of the present invention provide a method for generating a master key. FIG. 2 is a flowchart of a method for generating a master key provided by an embodiment of the present invention. As shown in FIG. 2 , the method includes:

Step 201: Combine the personal characteristic data of the mobile intelligent terminal with the server master key component, and generate a master key based on the combined result.

In the embodiment of the present invention, the personal characteristic data of the mobile intelligent terminal is data with obvious personal characteristics such as the password set by the user, the user's fingerprint, palm print, facial features, etc. In other embodiments of the present invention, it may also be the present Other personal characteristic data will occur to those skilled in the art. The personal characteristic data of the mobile intelligent terminal is acquired by the mobile intelligent terminal password component, and the acquisition method may be real-time input by the user through the input interface of the mobile intelligent terminal device, or pre-stored in the mobile intelligent terminal device by the user.

In this embodiment of the present invention, the server master key component may be a randomly generated random number. The server-side master key component is generated by the server-side cryptographic component.

In the embodiment of the present invention, a key derivation algorithm (KDA, Key Derivation Algorithms) is used to calculate the result of combining the personal characteristic data of the mobile intelligent terminal and the server master key component to generate the master key.

In the embodiment of the present invention, the operation of combining the personal characteristic data of the mobile intelligent terminal with the server master key component and generating the master key is implemented in the mobile intelligent terminal password component of the mobile intelligent terminal. After the server master key component is generated on the server cipher component, it is transmitted from the server cipher component to the mobile intelligent terminal cipher component. During the transmission process, the server master key component to be transmitted is encrypted and decrypted to improve Security of data transmission.

The master key generation method disclosed in the embodiment of the present invention uses both the mobile intelligent terminal personal characteristic data of the mobile intelligent terminal and the server master key component of the server when generating the master key. Relying on the data at one end of the communication can effectively improve the security of the master key.

Based on any of the above embodiments of the present invention, FIG. 3 is a flowchart of a method for encrypting sensitive security data provided by an embodiment of the present invention. As shown in FIG. 3 , the method for encrypting sensitive security data provided by an embodiment of the present invention includes:

Step 301: The mobile intelligent terminal password component transmits the obtained personal characteristic data of the mobile intelligent terminal to the server password component;

Step 302, the server cipher component saves the generated server master key component and the received personal characteristic data of the mobile intelligent terminal in the key container;

Step 303, the mobile intelligent terminal cryptographic component receives the server master key component from the server cryptographic component;

Step 304, using the aforementioned master key generation method to generate the master key, that is: combining the personal characteristic data of the mobile intelligent terminal and the server master key component, and generating the master key based on the combined result;

Step 305: Encrypt the sensitive security data with the master key, and then save the encrypted sensitive security data in the key container of the server-side cryptographic component.

The sensitive security data encryption method disclosed in the embodiment of the present invention generates a master key based on the personal characteristic data of the mobile intelligent terminal and the server master key component, encrypts the sensitive security data by using the master key, and encrypts the server master key The key components, the personal characteristic data of the smart mobile terminal, and the sensitive security data encrypted with the master key (such as the private key of the cryptographic component of the smart mobile terminal) are all stored in the key container, which greatly increases the security of the sensitive security data.

Based on any of the above embodiments of the present invention, the sensitive security data encryption method provided by another embodiment of the present invention further expands the relevant steps of the sensitive security data encryption method shown in FIG. 3; wherein, the step 301 further includes:

After the server cryptographic component obtains the random number R, it sends the random number R to the mobile intelligent terminal cryptographic component;

The mobile intelligent terminal cryptographic component generates its own public-private key pair (PM, Dm), and calculates the hash value HPPD of the personal characteristic data of the mobile intelligent terminal;

The cryptographic component of the mobile smart terminal encrypts the random number R, the hash value HPPD of the personal characteristic data, and the combined value (R||HPPD||PM) of the public key PM of the cryptographic component of the mobile smart terminal with a randomly generated key rM, C1 is obtained, and C2 is obtained by encrypting the randomly generated key rM with the public key PS of the server-side cryptographic component; wherein, || represents a combination;

The mobile intelligent terminal cryptographic component sends the data C2||C1 to the server-side cryptographic component.

The step 302 further includes:

The server-side cryptographic component receives data C2||C1, then decrypts C2 using its own private key dS to obtain a randomly generated key rM, and then uses rM to decrypt C1 to obtain (R||HPPD||PM);

The server cipher component generates a user ID, generates a server master key component SS-MKC, and then combines the hash value HPPD of the personal feature data, the server master key component SS-MKC, and the public key PM of the mobile intelligent terminal cipher component. , the number of PPD attempts (HPPD||SS-MKC||PM||PPD attempts) is encrypted using the server-side password component storage key KS, and the encrypted result is stored in the key container with the user ID as the index Among them, the number of PPD attempts is a value used to reflect the number of times the user attempts to input personal characteristic information.

The step 303 further includes:

The server-side cipher component combines the random number R, the server-side master key component SS-MKC, and the user ID to generate (R||MKC||user ID) and signs it with the server-side cipher component's own key d _S to obtain rs ₁ ;

The server-side cipher component encrypts (R||MKC||user ID||rs ₁ ) with another randomly generated key r _Ms to obtain C _1s , and uses the key r _Ms with the mobile smart terminal cipher component The public key PM encrypts to obtain _{C 2s} ;

The server-side cryptographic component sends C _2s || C _1s to the mobile intelligent terminal cryptographic component;

The mobile intelligent terminal cryptographic component uses its own private key d _M to decrypt C _2s to obtain r _Ms , and then uses r _Ms to decrypt C _1s to obtain (R||MKC||user ID||rs ₁ );

The mobile intelligent terminal cryptographic component signature verification rs1 _;

The mobile intelligent terminal password component stores the user ID as the identification of the mobile intelligent terminal password component.

The sensitive security data encryption method provided by the embodiment of the present invention further introduces a security mechanism, and further ensures data security by encrypting the personal characteristic data of the mobile intelligent terminal and the server master key component during the transmission process.

The sensitive security data encryption method provided by the embodiment of the present invention can be applied to the field of mobile communication. For example, the mobile smart terminal cryptographic component needs to be initialized when it runs for the first time, and the sensitive security data encryption method needs to be used in the initialization process. The initialization process of the password component of the mobile smart terminal will be described in detail below.

When the mobile smart terminal cryptographic component is released, the public key PS of the server-side cryptographic component is usually built in; when the initialization of the mobile smart terminal cryptographic component starts, the user should have entered personal characteristic data, the server-side cryptographic component should have been started, and the The password supervisor PIN code generation server password component stores the key KS.

Fig. 4 is the schematic diagram of the initialization process of the password component of the mobile intelligent terminal, and the basic steps are as follows:

Step 401, self-check of the password component of the mobile smart terminal;

Step 402, the mobile intelligent terminal cryptographic component requests initialization from the server-side cryptographic component;

Step 403: After obtaining the random number R, the server cipher component sends the mobile intelligent terminal cipher component;

Step 404, the mobile smart terminal cryptographic component generates a public-private key pair (PM, dM) of the mobile smart terminal cryptographic component, and calculates the hash value HPPD of the personal characteristic data (PPD);

Step 405: The random number R, the hash value HPPD of the personal characteristic data, and the combined value (R||HPPD||P _M ) of the public key _PM of the cryptographic component of the mobile intelligent terminal are randomly generated by the cryptographic component of the mobile intelligent terminal r _M is encrypted to obtain C ₁ , and C ₂ is obtained by encrypting the aforementioned randomly generated key r _M by using the public key P _S of the cryptographic component of the server;

Step 406, the mobile smart terminal cryptographic component sends the data C ₂ ||C ₁ to the server-side cryptographic component;

Step 407: The server-side cryptographic component receives the data C ₂ ||C ₁ , then decrypts C ₂ using its own private key d _S to obtain a randomly generated key r _M , and then uses r _M to decrypt C ₁ to obtain (R||HPPD ||P _M );

Step 408, the server password component generates a user ID, generates a server master key component SS-MKC (referred to as MKC), and then combines the hash value HPPD of the personal feature data, the server master key component SS-MKC, and the mobile intelligent terminal password. The component's public key PM and PPD attempts are combined to generate (HPPD||MKC||PM ||PPD attempts _{) using the server-side password component storage key K S for} encryption, and the encrypted result is indexed by the user ID Stored in the key container; wherein, the number of PPD attempts is a value used to reflect the number of times the user attempts to enter personal characteristic information;

Step 409: The server cipher component combines the random number R, the server master key component SS-MKC, and the user ID to generate (R||MKC||user ID) and signs it with the server cipher component's own key d _S to obtain rs1 _;

Step 410: The server-side password component encrypts (R||MKC||user ID||rs ₁ ) with another randomly generated key r _Ms to obtain C _1s , and uses the mobile smart terminal password for the key r _Ms The public key PM of the component is encrypted to obtain _{C 2s} ;

Step 411: The server-side cryptographic component sends C _2s ||C _1s to the mobile intelligent terminal cryptographic component;

Step 412, the mobile intelligent terminal cryptographic component decrypts C _2s using its own private key d _M to obtain r _Ms , and then uses r _Ms to decrypt C _1s to obtain (R||MKC||user ID||rs ₁ );

Step 413, mobile intelligent terminal cryptographic component signature verification rs1 _;

Step 414, the mobile intelligent terminal password component saves the user ID as the identification of the mobile intelligent terminal password component;

Step 415, the mobile intelligent terminal cryptographic component takes the combined value (PPD||MKC) of the personal characteristic parameter PPD and the server master key component MKC as a parameter, uses the key derivation algorithm KDF() to calculate, and obtains the master key MK;

Step 416, the mobile intelligent terminal cipher component encrypts the sensitive security data (such as the mobile intelligent terminal cipher component private key d _M ) using the master key MK, and saves it in the key container;

Step 417: The cryptographic component of the mobile intelligent terminal outputs the public key _PM to the mobile application, and the initialization is completed.

It can be seen from the above description of the initialization process of the password component of the mobile smart terminal that this process includes all the steps of the sensitive security data encryption method, and is a specific application of the sensitive security data encryption method.

The embodiment of the present invention also provides a method for decrypting encrypted sensitive security data, where the encrypted sensitive security data is obtained by encrypting the sensitive security data encryption method based on any of the above embodiments of the present invention. FIG. 5 is a flowchart of a method for decrypting sensitive security data provided by an embodiment of the present invention. As shown in FIG. 5 , the method for decrypting sensitive security data provided by an embodiment of the present invention includes:

Step 501: The mobile intelligent terminal password component transmits the obtained personal characteristic data of the mobile intelligent terminal to be verified to the server password component;

Step 502, the server cryptographic component extracts the stored personal characteristic data of the mobile intelligent terminal and the server master key component from the key container, and then combines the personal characteristic data of the mobile intelligent terminal to be verified with the stored mobile intelligent terminal. Check the personal data, if the two are inconsistent, clear the server master key component to zero, otherwise the value of the server master key component remains unchanged;

Step 503, the mobile intelligent terminal cryptographic component receives the server master key component, when the value of the server master key component is zero, it prompts failure, and ends the operation, otherwise the next step is performed;

Step 504, using the aforementioned master key generation method to generate the master key, namely: combining the personal characteristic data of the mobile intelligent terminal and the server master key component, and generating the master key based on the combined result;

In this step, since the personal characteristic data of the mobile intelligent terminal to be verified and the stored personal data of the mobile intelligent terminal have been verified to be consistent in the previous steps, the personal characteristic data of the mobile intelligent terminal may be the mobile intelligent terminal in step 501. Personal characteristic data of the mobile smart terminal to be verified obtained by the smart terminal password component.

Step 505: Obtain the encrypted sensitive security data from the key container of the cryptographic component of the server, and decrypt the encrypted sensitive security data by using the master key to obtain unencrypted sensitive security data.

The sensitive security data decryption method provided by the embodiment of the present invention generates a master key based on the personal characteristic data of the mobile intelligent terminal and the server master key component, and decrypts the encrypted sensitive security data by using the master key. Before the key, it is necessary to compare and verify the personal characteristic data of the mobile intelligent terminal to be verified with the personal characteristic data of the mobile intelligent terminal stored in the key container in advance, so the security of sensitive security data can be greatly improved.

Based on any of the above embodiments of the present invention, the sensitive security data decryption method provided by another embodiment of the present invention further expands the relevant steps of the sensitive security data decryption method shown in FIG. 5; wherein,

The step 501 further includes:

The mobile intelligent terminal password component requests the mobile intelligent terminal personal characteristic data verification from the server-side password component;

The server-side cryptographic component sends a random number R to the mobile intelligent terminal cryptographic component;

The cryptographic component of the smart mobile terminal combines the random number R, the user ID, and the hash value HPPD' of the personal characteristic data of the smart mobile terminal to be verified, and randomly generates the key r according to the combined result (R||user ID||HPPD'). _M1 and r _M2 , use r _M1 to encrypt to obtain C ₁ , and encrypt C ₁ ||r _M1 ||r _M2 with the public key P _S of the server cipher component to obtain C ₂ ;

The mobile intelligent terminal cryptographic component sends the data (C ₂ ||C ₁ ) to the server-side cryptographic component.

The step 502 further includes:

The server-side cryptographic component uses its own private key d _S to decrypt C ₂ to obtain r _M1 and r _M2 , and then uses r _M1 to decrypt C ₁ to obtain (R||user ID||HPPD');

The server cipher component obtains the corresponding data of the mobile intelligent terminal cipher component (HPPD||MKC||PM||PPD attempts) from the key container according to the user ID, and decrypts it with the server cipher component storage key K _S , Verify the consistency of the hash value HPPD' of the personal characteristic data of the mobile intelligent terminal to be verified and the hash value HPPD of the personal characteristic data of the mobile intelligent terminal, and the number of PPD attempts. If the verification fails, clear the server master key component to zero. If successful, the value of the server master key component remains unchanged.

The sensitive security data decryption method provided by the embodiment of the present invention further introduces a security mechanism, and further ensures data security by encrypting the personal characteristic data of the mobile intelligent terminal and the server master key component during the transmission process.

The sensitive security data decryption method provided by the embodiment of the present invention can be applied to the field of mobile communication. For example, the password component of the mobile intelligent terminal needs to verify the correctness of the personal characteristic data of the mobile intelligent terminal before providing the password service. The sensitive security data decryption method provided by the embodiment of the invention. The verification process of the personal characteristic data of the mobile intelligent terminal will be described in detail below.

According to the description of the initialization process of the cipher component of the mobile intelligent terminal in the foregoing embodiments of the present invention, the private key of the cipher component of the mobile intelligent terminal is encrypted by the master key and then stored in the key container. Before the key component generates the master key, the private key in the key container cannot be obtained. The mobile intelligent terminal password component can only provide the personal characteristic data of the mobile intelligent terminal input by the mobile application user and verify its correctness. password service.

Before verifying the personal feature data of the smart mobile terminal, the cryptographic component of the smart mobile terminal already has: the public key PS of the _{cryptographic} component of the server, the mobile application user ID (user ID), the hash value HPPD of the personal feature data of the smart mobile terminal to be verified '.

Fig. 6 is the flow chart of the personal characteristic data verification of mobile intelligent terminal, the basic steps are as follows:

Step 601, the mobile intelligent terminal password component requests the mobile intelligent terminal personal characteristic data verification from the server-side password component;

Step 602, the server-side cryptographic component sends a random number R to the mobile intelligent terminal cryptographic component;

Step 603: The mobile intelligent terminal password component merges the random number R, the user ID, and the hash value HPPD' of the personal characteristic data of the mobile intelligent terminal to be verified, and randomly generates them according to the merged result (R||user ID||HPPD'). The keys r _M1 and r _M2 are encrypted using r _M1 to obtain C ₁ , and C ₁ ||r _M1 ||r _M2 is encrypted with the public key P _S of the server cipher component to obtain C ₂ ;

Step 604: The mobile smart terminal cryptographic component sends the data (C ₂ ||C ₁ ) to the server-side cryptographic component;

Step 605: The server-side cryptographic component decrypts C ₂ using its own private key d _S to obtain r _M1 and r _M2 , and then uses r _M1 to decrypt C ₁ to obtain (R||user ID||HPPD');

Step 606: The server-side cipher component obtains the corresponding data (HPPD||MKC||PM||PPD attempts) from the key container according to the user ID, and decrypts it with the server-side cipher component storage key K _S , verify the consistency of the hash value HPPD' of the personal characteristic data of the mobile intelligent terminal to be verified and the hash value HPPD of the personal characteristic data of the mobile intelligent terminal, and the number of PPD attempts. If one of the above conditions is not satisfied, set the server master key component MKC to zero (Identifies MST-PPD verification failure), modify the number of PPD attempts; if the above conditions are met, go to the next step directly;

Step 607, the server-side cryptographic component encrypts (R||MKC||PPD attempts) with the key r _M2 of the mobile smart terminal cryptographic component, obtains C _2S , and sends the C _2S to the mobile smart terminal cryptographic component;

Step 608: The mobile intelligent terminal cipher component decrypts C _2S using the key rM2 of the mobile intelligent terminal cipher component to obtain (R||MKC||PPD attempts); if MKC is zero, return the personal characteristic data of the mobile intelligent terminal Verify the failure result with the number of PPD attempts; otherwise, continue to the next step;

Step 609: The cryptographic component of the mobile intelligent terminal takes (PPD||MKC) as a parameter, uses the key derivation algorithm KDF() to calculate the master key MK, and uses the master key MK to decrypt the sensitive security parameters in the key container (such as mobile Intelligent terminal cryptographic component private key d _M ).

Step 610, the verification of the personal characteristic data of the mobile intelligent terminal ends.

It can be seen from the above description of the verification process of the personal characteristic data of the mobile intelligent terminal that this process includes all the steps of the sensitive security data decryption method, and is a specific application of the sensitive security data decryption method.

Based on any of the above embodiments, FIG. 7 is a structural diagram of an apparatus for generating a master key provided by an embodiment of the present invention. As shown in FIG. 7 , the apparatus for generating a master key provided by an embodiment of the present invention includes:

The master key generation module 701 is used to combine the personal characteristic data of the mobile intelligent terminal and the server master key component, and generate a master key based on the combined result; wherein,

The personal characteristic data of the mobile intelligent terminal is data related to the personal characteristic of the user, and the server-side master key component is a random number generated by the server-side password component.

In the embodiment of the present invention, generating the master key based on the combined result includes: using a key derivation algorithm to calculate the combined result to generate the master key.

The master key generation device disclosed in the embodiment of the present invention uses both the mobile intelligent terminal personal characteristic data of the mobile intelligent terminal and the server master key component of the server when generating the master key. Relying on the data at one end of the communication can effectively improve the security of the master key.

Based on any of the above embodiments, FIG. 8 is a structural diagram of an apparatus for encrypting sensitive security data provided by an embodiment of the present invention. As shown in FIG. 8 , the apparatus for encrypting sensitive security data provided by an embodiment of the present invention includes:

The mobile intelligent terminal personal characteristic data transmission module 801 is used for the mobile intelligent terminal password component to transmit the obtained mobile intelligent terminal personal characteristic data to the server password component;

The server-side master key component and the mobile intelligent terminal personal characteristic data storage module 802 is used for the server-side cipher component to store the generated server-side master key component and the received personal characteristic data of the mobile intelligent terminal in a password. key container;

a server-side master key component transmission module 803, used for the mobile smart terminal cryptographic component to receive the server-side master key component from the server-side cryptographic component;

The master key generation module 804 is configured to use the master key generation device described in the previous embodiment of the present invention to generate a master key based on the personal characteristic data of the mobile intelligent terminal and the server master key component;

The encryption module 805 is configured to encrypt the sensitive security data by using the master key, and store the encrypted sensitive security data in the key container.

The sensitive security data encryption device disclosed in the embodiment of the present invention generates a master key based on the personal characteristic data of the mobile intelligent terminal and the server master key component, encrypts the sensitive security data by using the master key, and encrypts the server master key The key components, the personal characteristic data of the smart mobile terminal, and the sensitive security data encrypted with the master key (such as the private key of the cryptographic component of the smart mobile terminal) are all stored in the key container, which greatly increases the security of the sensitive security data.

Based on any of the above embodiments of the present invention, the sensitive security data encryption device provided by another embodiment of the present invention further expands the functions of the relevant modules of the sensitive security data encryption device shown in FIG. 8 ; wherein,

The personal characteristic data transmission module of the mobile intelligent terminal includes:

a random number generation and transmission unit, configured to send the random number R to the mobile smart terminal cryptographic component after the server-side cryptographic component obtains the random number R;

a key pair and hash value generation unit, used for the mobile intelligent terminal cryptographic component to generate its own public and private key pair (P _M , D _m ), and to calculate the hash value HPPD of the personal characteristic data of the mobile intelligent terminal;

A merging and encrypting unit, used for the random number R, the hash value HPPD of the personal characteristic data, and the combined value ( _R ||HPPD|| _PM ) of the public key PM of the cryptographic component of the mobile intelligent terminal Use the randomly generated key r _M to encrypt to obtain C ₁ , and use the public key P _S of the server cipher component to encrypt the randomly generated key r _M to obtain C ₂ ; where || represents a combination;

A transmission unit, used for the mobile smart terminal cryptographic component to send the data C ₂ ||C ₁ to the server-side cryptographic component.

The server master key component and the mobile intelligent terminal personal characteristic data storage module include:

A decryption unit, used for the server cipher component to receive data C ₂ ||C ₁ , and then use its own private key d _S to decrypt C ₂ to obtain a randomly generated key r _M , and then use r _M to decrypt C ₁ to obtain ( R||HPPD||P _M );

The storage unit is used for the server cipher component to generate the user ID, the server master key component SS-MKC, and then the hash value HPPD of the personal characteristic data, the server master key component SS-MKC, the mobile intelligent terminal password The public key P _M of the component and the number of PPD attempts are combined to generate (HPPD||SS-MKC|| _PM ||PPD attempts) using the server-side password component storage key K _S to encrypt, and the encrypted result is encrypted by the user The ID is an index stored in the key container; among them, the number of PPD attempts is a value used to reflect the number of times the user attempts to input personal characteristic information.

The server master key component transmission module includes:

The merging and signing unit is used for the random number R, the server master key component SS-MKC, and the user ID to be generated by the server cipher component (R||MKC||user ID), which is encrypted by the server cipher component itself. The key d _S is signed, and rs ₁ is obtained;

an encryption unit, used for the server-side cipher component to encrypt (R||MKC||user ID||rs ₁ ) with another randomly generated key r _Ms to obtain C _1s , and use the key r _{Ms C 2s} is obtained by encrypting the public key PM of the cryptographic component of the mobile intelligent terminal;

a transmission unit, used for the server cipher component to send C _2s ||C _1s to the mobile intelligent terminal cipher component;

A decryption unit, used for the mobile intelligent terminal cryptographic component to decrypt C _2s using its own private key d _M to obtain r _Ms , and then use r _Ms to decrypt C _1s to obtain (R||MKC||user ID||rs ₁ );

a signature verification unit, used for signature verification rs ₁ of the cryptographic component of the mobile intelligent terminal;

A storage unit, used for the smart mobile terminal password component to store the user ID as the identification of the mobile smart terminal password component.

The sensitive security data encryption device provided by the embodiment of the present invention further introduces a security mechanism, and further ensures the security of the data by encrypting the personal characteristic data of the mobile intelligent terminal and the server master key component during the transmission process.

The embodiment of the present invention also provides a device for decrypting encrypted sensitive security data, where the encrypted sensitive security data is obtained by encrypting the sensitive security data encryption device based on any of the above embodiments of the present invention. FIG. 9 is a structural diagram of an apparatus for decrypting sensitive security data provided by an embodiment of the present invention. As shown in FIG. 9 , the apparatus for decrypting sensitive security data provided by an embodiment of the present invention includes:

The personal characteristic data transmission module 901 of the mobile intelligent terminal to be verified is used for the mobile intelligent terminal password component to transmit the obtained personal characteristic data of the mobile intelligent terminal to be verified to the server password component;

The mobile intelligent terminal personal data verification success module 902 is used for the server cipher component to extract the stored personal characteristic data of the mobile intelligent terminal and the server master key component from the key container, and the mobile intelligent terminal personal data to be verified is The characteristic data is checked and consistent with the stored personal data of the mobile intelligent terminal;

a server-side master key component transmission module 903, for transmitting the server-side master key component to the mobile intelligent terminal cryptographic component;

A master key generation module 904, configured to generate a master key by using the master key generation device provided by the embodiment of the present invention based on the personal characteristic data of the mobile intelligent terminal and the server master key component;

The decryption module 905 is used for obtaining encrypted sensitive security data from the key container, and decrypting the encrypted sensitive security data by using the master key to obtain unencrypted sensitive security data.

Based on any of the above embodiments of the present invention, the sensitive security data decryption device provided by another embodiment of the present invention further includes:

The mobile intelligent terminal personal data verification failure module is used for the server cipher component to extract the stored personal characteristic data of the mobile intelligent terminal and the server master key component from the key container, and the personal characteristics of the mobile intelligent terminal to be verified. If the data is inconsistent with the stored personal data of the mobile intelligent terminal, clear the server master key component to zero, and the mobile intelligent terminal cipher component recognizes that the value of the server master key component is zero. Fail, end the operation.

Based on any of the above embodiments of the present invention, the sensitive security data decryption device provided by another embodiment of the present invention further expands the functions of the relevant modules of the sensitive security data decryption device shown in FIG. 9; wherein,

The to-be-verified mobile intelligent terminal personal characteristic data transmission module includes:

a request verification unit, used for the mobile intelligent terminal password component to request the mobile intelligent terminal personal characteristic data verification from the server password component;

a transmission unit, used for the server cipher component to send a random number R to the mobile intelligent terminal cipher component;

The merging and encryption unit is used for the mobile intelligent terminal password component to merge the random number R, the user ID, and the hash value HPPD' of the personal characteristic data of the mobile intelligent terminal to be verified, and according to the combination result (R||user ID|| HPPD′) randomly generate keys r _M1 and r _M2 respectively, use r _M1 to encrypt to obtain C ₁ , and encrypt C1||r _M1 ||r _M2 with the public key P _S of the server cipher component to obtain C ₂ ;

A transmission unit, used for the mobile smart terminal cryptographic component to send the data (C ₂ ||C ₁ ) to the server-side cryptographic component.

The successful module of the mobile intelligent terminal personal data verification includes:

a decryption unit, used for the server cryptographic component to decrypt C ₂ using its own private key d _S to obtain r _M1 and r _M2 , and then use r _M1 to decrypt C ₁ to obtain (R||user ID||HPPD');

The verification success unit is used for the server-side password component to obtain the corresponding data (HPPD||MKC||PM||PPD attempts) from the key container of the mobile intelligent terminal according to the user ID, and store it in the server-side password component The key K _S is decrypted to successfully verify the consistency of the hash value HPPD' of the personal characteristic data of the mobile intelligent terminal to be verified and the hash value HPPD of the personal characteristic data of the mobile intelligent terminal, and the number of PPD attempts.

The sensitive security data decryption device provided by the embodiment of the present invention further introduces a security mechanism, and further ensures data security by encrypting the personal characteristic data of the mobile intelligent terminal and the server master key component during the transmission process.

FIG. 10 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG. 10 , the electronic device may include: a processor (processor) 1010, a communication interface (Communications Interface) 1020, a memory (memory) 1030, and a communication bus 1040, The processor 1010 , the communication interface 1020 , and the memory 1030 communicate with each other through the communication bus 1040 . The processor 1010 can invoke the logic instructions in the memory 1030 to perform the following method: combine the personal characteristic data of the mobile intelligent terminal with the server master key component, and generate a master key based on the combined result. Or perform the following method: the mobile intelligent terminal password component transmits the obtained personal characteristic data of the mobile intelligent terminal to the server password component; the server password component combines the generated server master key component with the received mobile The smart terminal personal feature data is stored in the key container; the mobile smart terminal cryptographic component receives the server master key component from the server cryptographic component; based on the mobile smart terminal personal feature data, the server For the master key component, the master key is generated by using the master key generation method; the sensitive security data is encrypted by using the master key, and the encrypted sensitive security data is stored in the key container. Or perform the following method: the mobile intelligent terminal password component transmits the obtained personal characteristic data of the mobile intelligent terminal to be verified to the server password component; the server password component extracts the stored personal characteristics of the mobile intelligent terminal from the key container data and the server master key component, the personal characteristic data of the mobile intelligent terminal to be verified is consistent with the stored personal data of the mobile intelligent terminal; the server master key component is transmitted to the mobile intelligent terminal password component; based on the personal characteristic data of the mobile intelligent terminal and the server master key component, use the master key generation method to generate a master key; obtain the encrypted sensitive security data from the key container, use the master key The key decrypts the encrypted sensitive security data to obtain unencrypted sensitive security data.

In addition, the above-mentioned logic instructions in the memory 1030 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

On the other hand, an embodiment of the present invention further provides a non-transitory computer-readable storage medium on which a computer program is stored, and the computer program is implemented when executed by a processor to execute the methods provided by the foregoing embodiments, for example, including: The personal characteristic data of the mobile intelligent terminal and the server master key component are combined, and the master key is generated based on the combined result. Or: the mobile intelligent terminal cipher component transmits the obtained personal characteristic data of the mobile intelligent terminal to the server cipher component; the server cipher component combines the generated server master key component with the received personal data of the mobile intelligent terminal The feature data is stored in the key container; the smart mobile terminal cryptographic component receives the server master key component from the server cryptographic component; based on the personal feature data of the mobile smart terminal, the server master key components, the master key is generated by using the master key generation method; the sensitive security data is encrypted by using the master key, and the encrypted sensitive security data is stored in the key container. Or: the mobile intelligent terminal cipher component transmits the obtained personal characteristic data of the mobile intelligent terminal to be verified to the server cipher component; the server cipher component extracts the stored mobile intelligent terminal personal characteristic data and services from the key container The terminal master key component, the personal characteristic data of the mobile intelligent terminal to be verified is checked and consistent with the stored personal data of the mobile intelligent terminal; the server master key component is transmitted to the mobile intelligent terminal password component; based on The personal characteristic data of the mobile intelligent terminal and the server master key component are generated by using the master key generation method; the encrypted sensitive security data is obtained from the key container, and the master key pair is used to generate the master key. The encrypted sensitive security data is decrypted to obtain unencrypted sensitive security data.

The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (22)

1. A master key generation method, comprising:

combining personal characteristic data of the mobile intelligent terminal with a server side master key component, and generating a master key based on a combined result; wherein,

the personal characteristic data of the mobile intelligent terminal is data related to personal characteristics of a user, and the server side master key component is a random number generated by the server side password component.

2. The master key generation method of claim 1, wherein generating the master key based on the combined result comprises: and calculating the combined result by adopting a key derivation algorithm to generate a master key.

3. A method for encrypting sensitive secure data, comprising:

the method comprises the steps of transmitting personal characteristic data of the mobile intelligent terminal, namely transmitting the obtained personal characteristic data of the mobile intelligent terminal to a server-side password component by a password component of the mobile intelligent terminal;

a server side main key component and mobile intelligent terminal personal characteristic data storage step, wherein the server side password component stores the generated server side main key component and the received mobile intelligent terminal personal characteristic data in a key container;

a server side main key component transmission step, wherein the mobile intelligent terminal password component receives the server side main key component from the server side password component;

a master key generation step, which is used for generating a master key by adopting the master key generation method of any one of claims 1-2 based on the personal characteristic data of the mobile intelligent terminal and the server side master key component;

and an encryption step, encrypting the sensitive safety data by adopting the main key, and storing the encrypted sensitive safety data in the key container.

4. The sensitive secure data encryption method of claim 3, wherein the mobile intelligent terminal personal characteristic data transmission step comprises:

after the server side password component obtains a random number R, the random number R is sent to the mobile intelligent terminal password component;

the mobile intelligent terminal password assembly generates a private and public key pair (P)_M、D_m) Calculating a hash value HPPD of personal characteristic data of the mobile intelligent terminal;

the mobile intelligent terminal password component enables a random number R, a hash value HPPD of personal characteristic data and a public key P of the mobile intelligent terminal password component_MCombined value of (R | | HPPD | | P)_M) Using a randomly generated key r_MEncrypting to obtain C₁Using public key P of server side cryptographic component_SFor the randomly generated key r_MEncrypted to obtain C₂(ii) a Wherein, | | represents merging;

the mobile intelligent terminal password component transmits data C₂||C₁And sending the data to the server password component.

5. The sensitive secure data encryption method of claim 4, wherein the server-side master key component and mobile smart terminal personal characteristic data storage step comprises:

the server password component receives data C₂||C₁Then use its own private key d_SDecryption C₂To obtain a randomly generated key r_MThen use r_MDecryption C₁To obtain (R | | HPPD | | P_M)；

The server side password component generates a user ID, a server side main key component SS-MKC, a hash value HPPD of personal characteristic data, the server side main key component SS-MKC and a public key P of the mobile intelligent terminal password component_MGenerated by combining PPD trial times (HPPD | | | SS-MKC | | | P)_MPPD number of attempts) stores the key K using the server-side cryptographic component_SEncrypting, and storing the result obtained by encryption in a key container by taking the user ID as an index; wherein the PPD attempt number is a value reflecting the number of times the user attempts to input the personal characteristic information.

6. The sensitive secure data encryption method of claim 5, wherein the server-side master key share transmitting step comprises:

the server side password component combines a random number R, a server side main key component SS-MKC and a user ID to generate (R | | | MKC | | | user ID) and uses a server side password component self key d_SSigning to obtain rs₁；

The server side password component will (R | | | MKC | | user ID | | | rs₁) Using another randomly generated key r_MsEncrypting to obtain C_1sAnd combines the key r_MsPublic key P using mobile intelligent terminal cipher assembly_MEncrypted to obtain C_2s；

The server password component sends C_2s||C_1sSending the password to the mobile intelligent terminal password component;

the password component of the mobile intelligent terminal uses a private key d of the password component_MDecryption C_2sTo obtain r_MsThen use r_MsDecryption C_1sTo obtain (R | | MKC | | user ID | | | rs₁)；

Signature verification rs for password component of mobile intelligent terminal₁；

And the mobile intelligent terminal password component stores the user ID as the identification of the mobile intelligent terminal password component.

7. A sensitive secure data decryption method for decrypting sensitive secure data encrypted by the sensitive secure data encryption method according to any one of claims 3 to 6, comprising:

the method comprises the steps of transmitting personal characteristic data of the mobile intelligent terminal to be verified, wherein the mobile intelligent terminal password component transmits the obtained personal characteristic data of the mobile intelligent terminal to be verified to a server side password component;

the method comprises the following steps that personal data of the mobile intelligent terminal are successfully verified, the server side password component extracts stored personal feature data of the mobile intelligent terminal and a server side main key component from a key container, and the personal feature data of the mobile intelligent terminal to be verified are matched with the stored personal data of the mobile intelligent terminal;

a server side main key component transmission step, wherein the server side main key component is transmitted to the mobile intelligent terminal password component;

a master key generation step, which is used for generating a master key by adopting the master key generation method of any one of claims 1-2 based on the personal characteristic data of the mobile intelligent terminal and the server side master key component;

and a decryption step, namely acquiring the encrypted sensitive safety data from the key container, and decrypting the encrypted sensitive safety data by adopting the main key to obtain the unencrypted sensitive safety data.

8. The sensitive secure data decryption method of claim 7, further comprising: and a step of failure verification of personal data of the mobile intelligent terminal, in which the server password component extracts stored personal characteristic data of the mobile intelligent terminal and a server main key component from a key container, the personal characteristic data of the mobile intelligent terminal to be verified is inconsistent with the stored personal data of the mobile intelligent terminal, the server main key component is cleared, and the mobile intelligent terminal password component identifies that the prompt fails when the value of the server main key component is zero, and the operation is ended.

9. The sensitive secure data decryption method of claim 7, wherein the step of transmitting the personal characteristic data of the mobile intelligent terminal to be authenticated comprises:

the mobile intelligent terminal password component requests the server side password component for verification of personal characteristic data of the mobile intelligent terminal;

the server side password component sends a random number R to the mobile intelligent terminal password component;

the mobile intelligent terminal password component combines the random number R, the user ID and the hash value HPPD 'of the personal characteristic data of the mobile intelligent terminal to be verified, and respectively generates the secret key R at random according to the combination result (R | | user ID | | HPPD')_M1、r_M2Using r_M1Encrypted to obtain C₁And C is₁||r_M1||r_M2Public key P using server side cryptographic component_SEncrypting to obtain C₂；

The mobile intelligent terminal password component transmits data (C)₂||C₁) And sending the data to the server password component.

10. The sensitive secure data decryption method of claim 9, wherein the mobile intelligent terminal personal data verification success step comprises:

the server side password component uses a self private key d_SDecryption C₂To obtain r_M1 and r_M2Then use r_M1Decryption C₁Obtaining (R | | user ID | | | HPPD');

the server side password assembly obtains corresponding data (HPPD (MKC (high Power Perkin Elder) |) PM (Master Perkin Elder) PPD (PPD) trial times) of the mobile intelligent terminal password assembly from the key container according to the user ID (identity), and stores the key K by the server side password assembly_SAnd decrypting and successfully verifying the consistency of the personal characteristic data hash value HPPD' of the mobile intelligent terminal to be verified and the personal characteristic data hash value HPPD of the mobile intelligent terminal and PPD (protocol data display) trial times.

11. A master key generation apparatus, comprising:

the master key generation module is used for combining the personal characteristic data of the mobile intelligent terminal with the master key component of the server side and generating a master key based on the combined result; wherein,

the personal characteristic data of the mobile intelligent terminal is data related to personal characteristics of a user, and the server side master key component is a random number generated by the server side password component.

12. The master key generation apparatus of claim 11, wherein the generating of the master key based on the combined result comprises: and calculating the combined result by adopting a key derivation algorithm to generate a master key.

13. A sensitive secure data encryption apparatus comprising:

the mobile intelligent terminal personal characteristic data transmission module is used for transmitting the obtained mobile intelligent terminal personal characteristic data to the server side password component by the mobile intelligent terminal password component;

the server side main key component and mobile intelligent terminal personal characteristic data storage module is used for storing the generated server side main key component and the received mobile intelligent terminal personal characteristic data in a key container by the server side password component;

the server side main key component transmission module is used for receiving the server side main key component from the server side password component by the mobile intelligent terminal password component;

a master key generation module, configured to generate a master key by using the master key generation apparatus according to any one of claims 11 to 12, based on the mobile intelligent terminal personal feature data and the server-side master key component;

and the encryption module is used for encrypting the sensitive safety data by adopting the main key and storing the encrypted sensitive safety data in the key container.

14. The sensitive secure data encryption apparatus of claim 13, wherein the mobile intelligent terminal personal characteristic data transmission module comprises:

the random number generating and transmitting unit is used for sending the random number R to the mobile intelligent terminal password component after the server password component obtains the random number R;

a key pair and hash value generation unit for generating self public and private key pair (P) by the mobile intelligent terminal password component_M、D_m) Calculating a hash value HPPD of personal characteristic data of the mobile intelligent terminal;

a merging and encrypting unit for the cryptographic component of the mobile intelligent terminal to use the random number R, the hash value HPPD of the personal characteristic data and the public key P of the cryptographic component of the mobile intelligent terminal_MCombined value of (R | | HPPD | | P)_M) Using a randomly generated key r_MEncrypting to obtain C₁Using public key P of server side cryptographic component_SFor the randomly generated key r_MEncrypted to obtain C₂(ii) a Wherein, | | represents merging;

a transmission unit for the mobile intelligent terminal password component to transmit data C₂||C₁And sending the data to the server password component.

15. The sensitive secure data encryption apparatus of claim 14, wherein the server side master key share and mobile smart terminal personal characteristic data storage module comprises:

a decryption unit for receiving data C by the server side password component₂||C₁Then use its own private key d_SDecryption C₂To obtain a randomly generated key r_MThen use r_MDecryption C₁To obtain (R | | HPPD | | P_M)；

A storage unit for the server side password component to generate a user ID, a server side main key component SS-MKC and a hash value HPPD of personal characteristic data and the server side main key componentPublic key P of SS-MKC and mobile intelligent terminal password assembly_MGenerated by combining PPD trial times (HPPD | | | SS-MKC | | | P)_MPPD number of attempts) stores the key K using the server-side cryptographic component_SEncrypting, and storing the result obtained by encryption in a key container by taking the user ID as an index; wherein the PPD attempt number is a value reflecting the number of times the user attempts to input the personal characteristic information.

16. The sensitive secure data encryption apparatus of claim 15, wherein the server side master key share transmission module comprises:

a merging and signing unit for merging the random number R, the server master key component SS-MKC and the user ID by the server password component to generate (R | | MKC | | user ID) using the server password component self key d_SSigning to obtain rs₁；

An encryption unit for the server side password component to encrypt (R | | | MKC | | user ID | | rs)₁) Using another randomly generated key r_MsEncrypting to obtain C_1sAnd combines the key r_MsPublic key P using mobile intelligent terminal cipher assembly_MEncrypted to obtain C_2s；

A transmission unit for the server side password component to send C_2s||C_1sSending the password to the mobile intelligent terminal password component;

a decryption unit for the mobile intelligent terminal password component to use its own private key d_MDecryption C_2sTo obtain r_MsThen use r_MsDecryption C_1sTo obtain (R | | MKC | | user ID | | | rs₁)；

The signature verification unit is used for signature verification rs of the password component of the mobile intelligent terminal₁；

And the storage unit is used for storing the user ID as the identification of the mobile intelligent terminal password component by the mobile intelligent terminal password component.

17. A sensitive secure data decrypting apparatus for decrypting sensitive secure data encrypted by the sensitive secure data encrypting apparatus according to any one of claims 13 to 16, comprising:

the mobile intelligent terminal personal characteristic data transmission module to be verified is used for the mobile intelligent terminal password component to transmit the obtained mobile intelligent terminal personal characteristic data to be verified to the server side password component;

the server side password component is used for extracting stored mobile intelligent terminal personal characteristic data and a server side main key component from a key container, and the mobile intelligent terminal personal characteristic data to be verified is matched with the stored mobile intelligent terminal personal data;

the server side main key component transmission module is used for transmitting the server side main key component to the mobile intelligent terminal password component;

a master key generation module, configured to generate a master key by using the master key generation apparatus according to any one of claims 11 to 12, based on the mobile intelligent terminal personal feature data and the server-side master key component;

and the decryption module is used for acquiring the encrypted sensitive safety data from the key container and decrypting the encrypted sensitive safety data by adopting the main key to obtain the unencrypted sensitive safety data.

18. The sensitive secure data decryption device of claim 17, further comprising: and the mobile intelligent terminal personal data verification failure module is used for extracting the stored mobile intelligent terminal personal characteristic data and the server side main key component from the key container by the server side password component, clearing the server side main key component when the mobile intelligent terminal personal characteristic data to be verified is inconsistent with the stored mobile intelligent terminal personal data, and finishing the operation when the mobile intelligent terminal password component identifies that the value of the server side main key component is zero, thereby prompting failure.

19. The sensitive secure data decryption apparatus of claim 17, wherein the to-be-authenticated mobile intelligent terminal personal characteristic data transmission module comprises:

the request verification unit is used for requesting the password component of the mobile intelligent terminal to the password component of the server side for verifying personal characteristic data of the mobile intelligent terminal;

the transmission unit is used for sending a random number R to the mobile intelligent terminal password component by the server password component;

a merging and encrypting unit, configured to merge the random number R, the user ID, and the hash value HPPD 'of the personal feature data of the mobile intelligent terminal to be verified by the cryptographic component of the mobile intelligent terminal, and respectively randomly generate the secret key R according to the merging result (R | | user ID | | HPPD')/to_M1、r_M2Using r_M1Encrypted to obtain C₁And C is₁||r_M1||r_M2Public key P using server side cryptographic component_SEncrypting to obtain C₂；

A transmission unit for transmitting data (C) to the password component of the mobile intelligent terminal₂||C₁) And sending the data to the server password component.

20. The sensitive secure data decryption apparatus of claim 19, wherein the mobile intelligent terminal personal data verification success module comprises:

a decryption unit for the server side password component using its own private key d_SDecryption C₂To obtain r_M1 and r_M2Then use r_M1Decryption C₁Obtaining (R | | user ID | | | HPPD');

a successful verification unit, configured to obtain, by the server-side password component, corresponding data of the mobile intelligent terminal password component (HPPD | | MKC | | PM | | PPD attempt times) from the key container according to the user ID, and store the key K with the server-side password component_SAnd decrypting and successfully verifying the consistency of the personal characteristic data hash value HPPD' of the mobile intelligent terminal to be verified and the personal characteristic data hash value HPPD of the mobile intelligent terminal and PPD (protocol data display) trial times.

21. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the master key generation method of any one of claims 1 to 2, or performs the steps of the sensitive secure data encryption method of any one of claims 3 to 6, or performs the steps of the sensitive secure data decryption method of any one of claims 7 to 10.

22. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the master key generation method according to any one of claims 1 to 2, or the steps of the sensitive secure data encryption method according to any one of claims 3 to 6, or the steps of the sensitive secure data decryption method according to any one of claims 7 to 10.

Images